From supinfo@caldera.com Thu Nov 8 22:31:54 2001 From: Support Info To: announce@lists.caldera.com, bugtraq@securityfocus.com, linux-security@redhat.com, linuxlist@securityportal.com Date: Tue, 6 Nov 2001 09:18:50 -0700 Subject: Security Update: [CSSA-2001-38.0] Linux - syncookies firewall breaking problem -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux - syncookies firewall breaking problem Advisory number: CSSA-2001-038.0 Issue date: 2001, November 05 Cross reference: ______________________________________________________________________________ 1. Problem Description The Linux kernel implements a method called 'syn cookies' to avoid denial of service attacks by using a stateless connection setup. There is also a common form of firewalls, which are based on SYN filtering to block only incoming TCP connections, but let outgoing connections pass. Unfortunately the syncookies design allows a remote attacker to bypass SYN filtering firewalls in case there is one open port which the attacker can flood. The Linux 2.2 and 2.4 kernels had the syncookies state as a systemwide global, so it was enabled for all sockets at once in case of flood to an open port, allowing a remote attacker to gain access to firewalled ports, effectively bypassing the firewall. Even though the attack requires a very large number of IP packets, it is not unthinkable for a determined attacker to exploit this problem. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux 2.3 All packages previous to linux-2.2.10-14 OpenLinux eServer 2.3.1 All packages previous to and OpenLinux eBuilder linux-2.2.14-13S OpenLinux eDesktop 2.4 All packages previous to linux-2.2.14-9 OpenLinux Server 3.1 All packages previous to linux-2.4.2-14S OpenLinux Workstation 3.1 All packages previous to linux-2.4.2-14D 3. Solution Workaround Disable syncookies by doing: echo -n 0 > /proc/sys/net/ipv4/tcp_syncookies The proper solution is to upgrade to the latest packages. 4. OpenLinux 2.3 4.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS 4.2 Verification f112b7346070972c44770b562df912db linux-kernel-binary-2.2.10-14.i386.rpm 7a8d2803e68227576998b9c12fb90976 linux-kernel-doc-2.2.10-14.i386.rpm 8c9a3a28c69d03efb6e325e1f83eca9a linux-kernel-include-2.2.10-14.i386.rpm 29020f946a358838cde15d54ee6a294c linux-source-alpha-2.2.10-14.i386.rpm 0a841ec165ee97425afb8d86f74a2eb4 linux-source-arm-2.2.10-14.i386.rpm dead286ad1491ceccabde12fd24eab88 linux-source-common-2.2.10-14.i386.rpm b8e37b6be024ceb02dbcff7e9191e067 linux-source-i386-2.2.10-14.i386.rpm 9789e6ea513b88f8dbdf4fd58405c69f linux-source-m68k-2.2.10-14.i386.rpm 14ae8aa4e6e075b1ce891048b4eb25ed linux-source-mips-2.2.10-14.i386.rpm d85b4cc17890c262a776bef9c100aa07 linux-source-ppc-2.2.10-14.i386.rpm 9a4398514eea89a9cae7bd28038b7d6b linux-source-sparc-2.2.10-14.i386.rpm 5f0c0e296f83cc1a0ed8e8f2b03087ba linux-source-sparc64-2.2.10-14.i386.rpm 25901d75de5b22e8eda388895a261564 pcmcia-cs-3.0.14-5.i386.rpm dfe1a96017b6a43949d740a5a2f17369 linux-2.2.10-14.src.rpm f07c67c7eeb6778d2b7320591bbecd14 pcmcia-cs-3.0.14-5.src.rpm 4.3 Installing Fixed Packages Upgrade the affected packages with the following commands: /sbin/modprobe loop rpm -Fvh --force linux-kernel-binary-2.2.10-14.i386.rpm \ linux-kernel-doc-2.2.10-14.i386.rpm \ linux-kernel-include-2.2.10-14.i386.rpm \ linux-source-alpha-2.2.10-14.i386.rpm \ linux-source-arm-2.2.10-14.i386.rpm \ linux-source-common-2.2.10-14.i386.rpm \ linux-source-i386-2.2.10-14.i386.rpm \ linux-source-m68k-2.2.10-14.i386.rpm \ linux-source-mips-2.2.10-14.i386.rpm \ linux-source-ppc-2.2.10-14.i386.rpm \ linux-source-sparc-2.2.10-14.i386.rpm \ linux-source-sparc64-2.2.10-14.i386.rpm \ pcmcia-cs-3.0.14-5.i386.rpm 5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0 5.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS 5.2 Verification e2f0150caeb4d7318716d05d5d4cb32e linux-kernel-binary-2.2.14-13S.i386.rpm 9c0940b9a84ff72c8a40e8a10add3d4b linux-kernel-doc-2.2.14-13S.i386.rpm 8cdfa9651a5e75d04a095696d4681663 linux-kernel-include-2.2.14-13S.i386.rpm db564909d2065c238271ae63c9ffd49a linux-source-alpha-2.2.14-13S.i386.rpm 4f80288d523347ec39e9cc38e7230f50 linux-source-arm-2.2.14-13S.i386.rpm 9c915c6026e86680299522da3e053e72 linux-source-common-2.2.14-13S.i386.rpm c7f9415335c293a9878b18abb5ed1864 linux-source-i386-2.2.14-13S.i386.rpm 3218946ecbd2b98c6661770757fa4e8d linux-source-m68k-2.2.14-13S.i386.rpm 6ab8925bdf73efe2b014ebcd3c2188bc linux-source-mips-2.2.14-13S.i386.rpm 035a4e5970bf0dc709c301daf751bc67 linux-source-ppc-2.2.14-13S.i386.rpm d611132b945774cb4b3a0e57ef323f1b linux-source-sparc-2.2.14-13S.i386.rpm 3b4048225724cab325a247d66bac2afe linux-source-sparc64-2.2.14-13S.i386.rpm d653ecbe3fa48e87f6c6ebbce81d8345 pcmcia-cs-3.1.4-5.i386.rpm 222e40903ce9f4fa823485984764369e linux-2.2.14-13S.src.rpm d78e703763fe9828627006706d65292e pcmcia-cs-3.1.4-5.src.rpm 5.3 Installing Fixed Packages Upgrade the affected packages with the following commands: /sbin/modprobe loop rpm -Fvh linux-kernel-binary-2.2.14-13S.i386.rpm \ linux-kernel-doc-2.2.14-13S.i386.rpm \ linux-kernel-include-2.2.14-13S.i386.rpm \ linux-source-alpha-2.2.14-13S.i386.rpm \ linux-source-arm-2.2.14-13S.i386.rpm \ linux-source-common-2.2.14-13S.i386.rpm \ linux-source-i386-2.2.14-13S.i386.rpm \ linux-source-m68k-2.2.14-13S.i386.rpm \ linux-source-mips-2.2.14-13S.i386.rpm \ linux-source-ppc-2.2.14-13S.i386.rpm \ linux-source-sparc-2.2.14-13S.i386.rpm \ linux-source-sparc64-2.2.14-13S.i386.rpm \ pcmcia-cs-3.1.4-5.i386.rpm 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification 3274fe3fbb7b302d6d0bee7186820fef hwprobe-20000214-6.i386.rpm 064ebec44665beb14eaa85ad4ecfc838 iBCS-2.1-12.i386.rpm d87d3c6f0cb937a0e51e68c6984b2c62 iBCS-extras-2.1-12.i386.rpm 7fd4443b17bc58f072572548b3c54886 iBCS-module-2.1_2.2.14-12.i386.rpm 4366e46e2ff02f9dadde291a483f1cf2 linux-kernel-binary-2.2.14-9.i386.rpm d54b1d4e4ad58022d5298e8c5359dad9 linux-kernel-doc-2.2.14-9.i386.rpm 320d182140b90c771993b031c66f2d4a linux-kernel-include-2.2.14-9.i386.rpm ad69ebbc9d8ee30de552e81f5c3b3cdf linux-source-alpha-2.2.14-9.i386.rpm 3f5434fc2fe4486e258a5981cd65dc36 linux-source-arm-2.2.14-9.i386.rpm a8fc5f92bf99b27674772966f390ce1d linux-source-common-2.2.14-9.i386.rpm 6fd8bde1cd3caf58195f6be09983a9cf linux-source-i386-2.2.14-9.i386.rpm 997e6d546da8149c8a9b4e78932a3ab5 linux-source-m68k-2.2.14-9.i386.rpm 27dcf591ef399c3b1a02011900cf92e3 linux-source-mips-2.2.14-9.i386.rpm ce4998917dcded5161b954672b9e7728 linux-source-ppc-2.2.14-9.i386.rpm 7b258bc6c66ac6d9305bc71e41ecd24c linux-source-sparc-2.2.14-9.i386.rpm fb5d48c243c3b10067f59f58f6f922f4 linux-source-sparc64-2.2.14-9.i386.rpm d4fbca082ccb49d9a9ed26b2e4868767 pcmcia-cs-3.1.8-5.i386.rpm b5465215f5dbe5c430e684a9899af9f7 hwprobe-20000214-6.src.rpm ccbfc2eab5d5111866abcba90e551116 iBCS-2.1-12.src.rpm ada8415ed350c5013bf29fc84931741b linux-2.2.14-9.src.rpm 14b4fb11304a0083ee44edd27dba4543 pcmcia-cs-3.1.8-5.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: /sbin/modprobe loop rpm -Fvh hwprobe-20000214-6.i386.rpm iBCS-2.1-12.i386.rpm \ iBCS-extras-2.1-12.i386.rpm \ iBCS-module-2.1_2.2.14-12.i386.rpm \ linux-kernel-binary-2.2.14-9.i386.rpm \ linux-kernel-doc-2.2.14-9.i386.rpm \ linux-kernel-include-2.2.14-9.i386.rpm \ linux-source-alpha-2.2.14-9.i386.rpm \ linux-source-arm-2.2.14-9.i386.rpm \ linux-source-common-2.2.14-9.i386.rpm \ linux-source-i386-2.2.14-9.i386.rpm \ linux-source-m68k-2.2.14-9.i386.rpm \ linux-source-mips-2.2.14-9.i386.rpm \ linux-source-ppc-2.2.14-9.i386.rpm \ linux-source-sparc-2.2.14-9.i386.rpm \ linux-source-sparc64-2.2.14-9.i386.rpm \ pcmcia-cs-3.1.8-5.i386.rpm 7. OpenLinux 3.1 Server 7.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 7.2 Verification 87b5f36b72bb16e6e834c59233106b37 linux-kernel-binary-2.4.2-14S.i386.rpm 5188757fbd1cbcc307d53c0bbbba6aed linux-kernel-include-2.4.2-14S.i386.rpm 4723ba116d77e1afaaab9108d4f67392 linux-source-alpha-2.4.2-14S.i386.rpm 8d5b667a2238e549d01523a9028d0def linux-source-arm-2.4.2-14S.i386.rpm 7b1040fce5eb2c13069f12e0f98f459f linux-source-common-2.4.2-14S.i386.rpm d4d72adbd977c3cd736d6d292fa96f66 linux-source-i386-2.4.2-14S.i386.rpm e13ee045818e08ea58ebac07e3a7683b linux-source-ia64-2.4.2-14S.i386.rpm 63f8af9364b41a5ed8529922b2b86085 linux-source-m68k-2.4.2-14S.i386.rpm 1efcb66cef3cfb73267bc383192977e5 linux-source-mips-2.4.2-14S.i386.rpm eb531f7e844276dadcfb64a61e14d91b linux-source-ppc-2.4.2-14S.i386.rpm bdbb2c789f16563881f1bb24384a1e13 linux-source-s390-2.4.2-14S.i386.rpm afab346de67d5298b680d9f3f585df85 linux-source-sparc-2.4.2-14S.i386.rpm 4365699de967a365b09f92f683447b90 linux-source-superH-2.4.2-14S.i386.rpm 38226719588775988ffdd5db0adacb10 linux-2.4.2-14S.src.rpm 7.3 Installing Fixed Packages Upgrade the affected packages with the following commands: /sbin/modprobe loop rpm -Fvh linux-kernel-binary-2.4.2-14S.i386.rpm \ linux-kernel-include-2.4.2-14S.i386.rpm \ linux-source-alpha-2.4.2-14S.i386.rpm \ linux-source-arm-2.4.2-14S.i386.rpm \ linux-source-common-2.4.2-14S.i386.rpm \ linux-source-i386-2.4.2-14S.i386.rpm \ linux-source-ia64-2.4.2-14S.i386.rpm \ linux-source-m68k-2.4.2-14S.i386.rpm \ linux-source-mips-2.4.2-14S.i386.rpm \ linux-source-ppc-2.4.2-14S.i386.rpm \ linux-source-s390-2.4.2-14S.i386.rpm \ linux-source-sparc-2.4.2-14S.i386.rpm \ linux-source-superH-2.4.2-14S.i386.rpm /sbin/depmod -a 8. OpenLinux 3.1 Workstation 8.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS 8.2 Verification b170636148d3d057237913b3870d916f linux-kernel-binary-2.4.2-14D.i386.rpm a1f3dd1fe8ac717999a8fc963227c40e linux-kernel-include-2.4.2-14D.i386.rpm b033e7f2b3bea97b65b636cc5ab67de9 linux-source-alpha-2.4.2-14D.i386.rpm c8fd9e36df0d6008fad4c3beb31e3bdb linux-source-arm-2.4.2-14D.i386.rpm 452b0df69c68d10f3bdac57c08e9cf17 linux-source-common-2.4.2-14D.i386.rpm d7e8c4157df7a7b9bb0116f673c67b1d linux-source-i386-2.4.2-14D.i386.rpm 25911c50aa631b48712da3b877eb4c72 linux-source-ia64-2.4.2-14D.i386.rpm 3ea9d607e08b15ff646d45100754c05f linux-source-m68k-2.4.2-14D.i386.rpm 339be8f2e0fd2eafefb41c256acf0412 linux-source-mips-2.4.2-14D.i386.rpm 47ce33f13fde399aa62b0d20b677150b linux-source-ppc-2.4.2-14D.i386.rpm 9a3f948f6e104bb7bbc8c2105b218bcf linux-source-s390-2.4.2-14D.i386.rpm fa3416e60a2af27c529a72cf446885ed linux-source-sparc-2.4.2-14D.i386.rpm 07f6fc32a1002845413fc77bdd7c61f0 linux-source-superH-2.4.2-14D.i386.rpm 1d13bd90b32d5fa065b0afa2484df0f2 linux-2.4.2-14D.src.rpm 8.3 Installing Fixed Packages Upgrade the affected packages with the following commands: /sbin/modprobe loop rpm -Fvh linux-kernel-binary-2.4.2-14D.i386.rpm \ linux-kernel-include-2.4.2-14D.i386.rpm \ linux-source-alpha-2.4.2-14D.i386.rpm \ linux-source-arm-2.4.2-14D.i386.rpm \ linux-source-common-2.4.2-14D.i386.rpm \ linux-source-i386-2.4.2-14D.i386.rpm \ linux-source-ia64-2.4.2-14D.i386.rpm \ linux-source-m68k-2.4.2-14D.i386.rpm \ linux-source-mips-2.4.2-14D.i386.rpm \ linux-source-ppc-2.4.2-14D.i386.rpm \ linux-source-s390-2.4.2-14D.i386.rpm \ linux-source-sparc-2.4.2-14D.i386.rpm \ linux-source-superH-2.4.2-14D.i386.rpm /sbin/depmod -a 9. References This and other Caldera security resources are located at: http://www.caldera.com/support/security/index.html This security fix closes Caldera's internal Problem Report 10835. 10. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. 11. Acknowledgements Caldera International Inc. wants to thank Andi Kleen of SuSE for spotting and sending a patch and David Miller for refining it. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE75qM/18sy83A/qfwRAmQWAJ9+1yMqGz7TmiV5qO1bvgYpQjASuQCgtP6q +bK2B7diVD8AM78+qv5yYkI= =8D+y -----END PGP SIGNATURE-----